fix: ADR-080 P0 security + CI remediation from QE analysis

Address all 5 P0 issues from QE analysis (55/100 score):

- P0-1: Rate limiter bypass — validate X-Forwarded-For against trusted proxy list
- P0-2: Exception detail leak — generic 500 messages, exception_type gated by dev mode
- P0-3: WebSocket JWT in URL (CWE-598) — first-message auth pattern replaces query param
- P0-4: Rust tests not in CI — add rust-tests job gating docker-build and notify
- P0-5: WebSocket path mismatch — use WS_PATH constant instead of hardcoded /ws/sensing

Includes ADR-080 remediation plan and 9 QE reports (4,914 lines).
Firmware validated on ESP32-S3 (COM8): CSI collecting, calibration OK.

Co-Authored-By: claude-flow <ruv@ruv.net>

ui/mobile/src/services/ws.service.ts

@@ -100,8 +100,7 @@ class WsService {
   private buildWsUrl(rawUrl: string): string {
     const parsed = new URL(rawUrl);
     const proto = parsed.protocol === 'https:' || parsed.protocol === 'wss:' ? 'wss:' : 'ws:';
-    // The /ws/sensing endpoint is served on the same HTTP port (no separate WS port needed).
-    return `${proto}//${parsed.host}/ws/sensing`;
+    return `${proto}//${parsed.host}${WS_PATH}`;
   }
 
   private handleStatusChange(status: ConnectionStatus): void {